1

I'm creating a website where users will need to be able to upload images, and I'd like them to be able to delete those images. Right now, I have a page that will display all of the images that that user has uploaded, and I have a php set up to delete an image from the database. It just needs to be given the id of the image. I have it functioning with the GET method, but I'm concerned a user could find the URL for my delete php and put in random ids, deleting everyone's images. Is there a way I can adjust my code to make it safer?

<?php
$sql = "SELECT id, userid, name, image FROM images";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
    // output data of each row
    while($row = mysqli_fetch_assoc($result)) {
        if ($imageUser == $row["userid"]){
            echo "<tr>";
            echo "<th>".$row["userid"]."</th>";
            echo "<th>".$row["name"]."</th>";
            echo "<th><img src='showimage.php?id=".$row["id"]."'></th>";
            echo "<th><a href='imgdelete.php?id=".$row["id"]."'>delete</a></th>";
            echo "</tr>";
        }
    }
} else {
    echo "0 results";
}

?>

The delete.php simply deletes the entry WHERE id=$_GET['id'];

Dan White
  • 27
  • 5
  • user login\password system would be the usuall approach –  Sep 29 '16 at 19:44
  • Check [This answer](http://stackoverflow.com/questions/10519064/why-is-using-a-http-get-to-update-state-on-the-server-in-a-restful-call-incorrec) explaning why to use post instead of get – Stormhashe Sep 29 '16 at 19:47
  • You should use post...post is a safe method too...you can read a little bit about it: https://stormpath.com/blog/put-or-post – Hackerman Sep 29 '16 at 19:49
  • I understand the need to use POST, but I'm not sure how to implement it. I also had it set up with an active session, but the issue is that each delete button somehow has to have a unique identifier associated with that image and then send that through to the delete php when the user clicks "delete". – Dan White Sep 29 '16 at 19:52
  • no no no POST is no safer. i an hit any url with a POST request as easy as a GET. you have to validate who is making the request –  Sep 29 '16 at 20:05

1 Answers1

2

In a RESTful API, a GET request should never modify the data. If you want to delete items, you should use a POST or a DELETE request.

bougiefever
  • 1,147
  • 10
  • 11
  • How can I adjust my code to use POST instead? Should I turn the delete link into a form? – Dan White Sep 29 '16 at 19:50
  • Sorry, this is a valid answer to my question. I should have asked the right question. I will repost with a better question. – Dan White Sep 29 '16 at 19:54
  • 1
    NO, post is no safer –  Sep 29 '16 at 20:05
  • 1
    @nogad is correct, post is **not** safer. It's slightly more obscure, which is your ticket to a false sense of security. It *is* more semantically correct, but that's some what secondary... the fact that you would even consider writing code that deletes content or does anything else that should require validation of specific user privilege... without actually validating those privileges... is a big red flag. – Michael - sqlbot Sep 30 '16 at 02:34